2 matches found
PYSEC-2026-312 Ckan remote code execution and private information access via crafted resource ids
Specific vulnerabilities: Arbitrary file write in resourcecreate and packageupdate actions, using the ResourceUploader object. Also reachable via packagecreate, packagerevise, and packagepatch via calls to packageupdate. Remote code execution via unsafe pickle loading, via Beaker's session store...
CKAN < 2.9.9 / 2.10.1 RCE
The version of CKAN installed on the remote host is prior to 2.9.9 or 2.10 prior to 2.10.1. It is, therefore, affected by a remote code execution vulnerability. A remote attacker with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded...